Tag Archives: data breach

I find it fascinating to watch how data protection in general and GDPR in particular play out with the huge multinationals which it has been designed to capture, and which arguably have the most to lose in terms of fines. Facebook and Google are once again in the news in relation to their use of personal data. And the High Court judgement against Morrisons sets a precedent which aligns with GDPR’s intention of individuals’ rights to have their data protected.

Google accused of bypassing privacy settings to harvest personal information of 5.4 million iPhone users between 2011 and 2012

The search engine tech giant Google is being taken to court by a group called Google You Owe Us, led by ex-Which director Richard Lloyd. The group claims that several hundred pounds could be owed in compensation to the millions of victims of Google’s transgression against privacy rights, meaning Google could face a massive financial penalty.

Google breached DPA and PECR by misusing cookies

Google exploited cookies, which are small pieces of computer text that collect data from devices, to run large-scale targeted ad campaigns. In the UK Google’s actions were in breach of the Data Protection Act (DPA) and the Privacy and Electronic Communication Regulation (PECR). For such breaches after the General Data Protection Regulation (GDPR) comes into force in late May 2018, organisations could face a fine of up to €20 million or 4% of annual global turnover (whichever is higher – and for the billion-dollar giant Google, obviously the latter). However, this case relates to a period prior to GDPR.

Did you go online with your iPhone? Were your privacy preferences ignored?

For several months in 2011 and 2012, Google stands accused of bypassing the default privacy settings on Apple phones in order to track the online behaviour of Safari users, by placing ad-tracking cookies onto the devices. This then enabled advertisers to target content to those devices and their users.

The Google activity has become known as the ‘Safari workaround,’ and while it affected various devices, the lawsuit filed in the High Court addresses the targeting of iPhone users.

Over 5 million people in Britain had an iphone during the period. “In all my years speaking up for consumers,” Mr Lloyd from Google You Owe Us states, “I’ve rarely seen such a massive abuse of trust where so many people have no way to seek redress on their own. Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back.”

According to the veteran privacy rights campaigner, Google claimed that he must go to California, the heartland of the Silicon revolution, if he wanted to pursue legal action against the firm, to which he responded, “It is disappointing that they are trying to hide behind procedural and jurisdictional issues rather than being held to account for their actions.”

According to the BBC, the broadcaster was told by Google that these legal proceedings are “not new” and that they “have defended similar cases before.” Google has stated that they do not believe the case has any merit and that they intend to contest it.

While there is no precedent in the UK for such massive action against Google, in the US Google has settled two large-scale litigation cases out of court. Regarding the same activity, the tech company agreed to pay a record $22.5m (£16.8m) in a case brought by the US Federal Trade Commission in 2012. It also made out of court settlements with a small number of British consumers.

According to the BBC, the case will probably be heard in the High Court in Spring 2018, a month or so prior to the enforcement of the GDPR.

Morrisons found liable for employee data breach

Morrisons workers brought a claim against the supermarket after a former member of staff, senior internal auditor Andrew Skelton (imprisoned as a result of his actions) stole and posted online confidential data (including salary and bank details) about nearly 100,000 employees.

In an historic High Court ruling, the Supermarket has been found liable for Skelton’s actions, which means that those affected may claim compensation for the “upset and distress” caused.

The case is the first data leak class action in the UK. Morrisons has said it will appeal the decision.

Facebook claims European data protection standards will not allow for their pattern-recognition “suicide alert tool” to be usable in EU.

Facebook blames GDPR for its plans to withhold Suicide Prevention software from EU

Facebook’s decision to deny EU countries a pattern-recognition tool to alert authorities to users possibly suffering from depression or suicidal thoughts has been criticised as a move to undermine the upcoming tightening of EU-wide data protection standards, enshrined in the General Data Protection Regulation (GDPR).

Facebook has argued that their Artificial Intelligence (AI) programme which scans the social media network for troubling comments and posts that might indicate suicidal ideation will not be employed in EU countries on the grounds that European policy-makers and the public at large are too sensitive about privacy issues to allow site-wide scanning.

In a blogpost, Facebook’s VP of Product Management stated, “we are starting to roll out artificial intelligence outside the US to help identify when someone might be expressing thoughts of suicide, including on Facebook Live. This will eventually be available worldwide, except the EU.”

Tim Turner, a data consultant based in Manchester, has suggested that the move might be “a shot across the EU’s bows […] Facebook perhaps wants to undermine the GDPR — which doesn’t change many of the legal challenges significantly for this — and they’re using this as a method to do so.”

Mr Turner continues, “nobody could argue with wanting to save lives, and it could be a way of watering down legislation that is a challenge to Facebook’s data hungry business model. Without details of what they think the legal problems are with this, I’m not sure they deserve the benefit of the doubt.”

Equifax data breach – hackers may have access to hundreds of thousands of British consumers’ personal details

The Information Commissioner’s Office (ICO) is investigating a hack on Equifax, a large credit rating agency based in Atlanta, USA, to find out whether and to what extent the company’s British consumers’ personal details have been obtained by the hackers. The FBI is also said to be monitoring the situation.

The cyberattack, reported earlier this month, occurred in May and July. The company has already admitted that 143 million American customers’ personal details have been obtained by the hackers.

400,000 UK customers may be affected by Equifax breach

The US information that the hackers may have accessed includes names, social security numbers, dates of birth, addresses and driving licence details, as well as over 200,000 credit card numbers.

The ICO told Equifax that the company must warn British residents of the data breach and inform them of any information relating to them which has been obtained by the cyber attackers. The credit agency promptly issued alerts to the affected Britons, stating however that an ‘identity takeover’ was unlikely.

Britons would do well to be mindful that, once a hacker has name, date of birth, email addresses, and telephone numbers, it takes little effort to acquire the missing elements, which is why the ICO has warned members of the public to remain vigilant against unsolicited emails and communications. They should also be particularly wary of unexpected transactions or activity recorded on their financial statements.

Shares in Equifax saw considerable reductions throughout the week, and two of the company’s senior executives, the Chief Information Officer and Chief Security Officer have resigned with immediate effect..

The Data Protection Bill 2017, which includes GPDR, has been published

GDPR is included in its entirety in the UK’s Data Protection Bill 2017, now going through Parliament

On 14th September, the Department for Digital, Culture, Media and Sport published the Data Protection Bill 2017. The Bill has been anticipated since the Queen’s speech in June, in which the government outlined its plan to implement the European-wide data protection game-changer GDPR into British law.

Culture secretary Karen Bradley explains: “The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit. In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”

While the Bill inculcates the GDPR, and therefore provides the basis for data-sharing and other adequacy agreements with the EU after Brexit, the government has stated that it managed to negotiate some ‘vital’ and ‘proportionate’ exemptions for the UK.

Some of the exemptions are provided for journalists accessing personal data to expose wrongdoing or for the good of the public; scientific and research organisations such as museums if their work is hindered; anti-doping bodies; financial firms handling personal data on suspicion of terrorist financing; money laundering; and employment where access may be neededs to personal data to fulfil the requirements of employment law.

The second reading of the Bill in Parliament will take place on 10th October, after which a general debate on Brexit and data protection takes place on the 12th.

As yet, there have been few critics of the proposed legislation outside certain industries whose use of big data makes them particularly susceptible to possible data protection breaches and massive fines (£17m or 4% annual global turnover). Some industry leaders have called for exemptions, including the private pension giant Scottish Widows, who claimed GDPR-level regulations would make it impossible for them to contact some of their customers without breaking the law. However, according to the government, 80% of Britons do not believe that they have control over their information online, and the Bill enjoys widespread support at this point. The Shadow Cabinet has yet to offer any official response or criticism.

Design faults in the Council’s ‘Ticket Viewer’ system, which keeps CCTV images of parking offences, compromised the security of 89,000 peoples’ personal data. Some of this data is under the category of sensitive personal information, e.g. medical details disclosed for the sake of appealing against a parking fine.

Corporate pensions company Scottish Widows to lobby for specific exemptions from the General Data Protection Regulation ahead of EU initiative’s May 2018 introduction.

Scottish Widows seeks derogations in relation to communicating with its customers in order to “bring people to better outcomes.”

The Lloyds Banking Group subsidiary Scottish Widows, the 202-year old life, pensions and investment company based in Edinburgh, has called for derogations from the GDPR.

A great deal has been written across the Internet about the impending GDPR, and much of the information available is contradictory. In fact many organisations and companies have been at pains to work out what exactly will be expected of them come May 2018. While it is true that the GDPR will substantially increase policy enforcers’ remits for penalising breaches of data protection law, the decontextualized figure of monetary penalties reaching €20 million or 4% of annual global turnover – while accurate in severe cases – has become something of a tub-thump for critics of the regulation.

Nevertheless, the GDPR is the most ambitious and widescale attempt to secure individual privacy rights in a proliferating global information economy to date, and organisations should be preparing for compliance. But the tangible benefits from consumer and investor trust provided by data compliance should always be kept in sight. There is more information about the GDPR on this blog and the Data Compliant main site.

Certain sectors will feel the effects of GDPR – in terms of the scale of work to prepare for compliance – more than others. It is perhaps understandable, therefore, why Scottish Widows, whose pension schemes may often be supplemented by semi-regular advice and contact, would seek derogations from the GDPR’s tightened conditions for proving consent to specific types of communications. Since the manner in which consent to communicate with their customers was acquired by Scottish Widows will not be recognised under the new laws, the company points out that “in future we will not be able to speak to old customers we are currently allowed to speak to.”

Scottish Widows’ head of policy, pensions and investments Peter Glancy’s central claim is that “GDPR means we can’t do a lot of things that you might want to be able to do to bring people to better outcomes.”

Article 23 of the GDPR enables legislators to provide derogations in certain circumstances. The Home Office and Department of Health for instance have specific derogations so as not to interfere with the safeguarding of public health and security. Scottish Widows cite the Treasury’s and DWP’s encouragement of increased pension savings, and so it may well be that the company plans to lobby for specific exemptions on the grounds that, as it stands, the GDPR may put pressure on the safeguarding of the public’s “economic or financial interests.”

Profiling low income workers and vulnerable people for marketing purposes in gambling industry provokes outrage and renewed calls for reform.

The ICO penalised charities for “wealth profiling”. Gambling companies are also “wealth profiling” in reverse – to target people on low incomes who can ill afford to play

If doubts remain that the systematic misuse of personal data demands tougher data protection regulations, these may be dispelled by revelations that the gambling industry has been using third party affiliates to harvest data so that online casinos and bookmakers can target people on low incomes and former betting addicts.

An increase in the cost of gambling ads has prompted the industry to adopt more aggressive marketing and profiling with the use of data analysis. An investigation by the Guardian including interviews with industry and ex-industry insiders describes a system whereby data providers or ‘data houses’ collect information on age, income, debt, credit information and insurance details. This information is then passed on to betting affiliates, who in turn refer customers to online bookmakers for a fee. This helps the affiliates and the gambling firms tailor their marketing to people on low incomes, who, according to a digital marketer, “were among the most successfully targeted segments.”

The data is procured through various prize and raffle sites that prompt participants to divulge personal information after a lengthy terms and conditions that marketers in the industry suspect serves only to obscure to many users how and where the data will be transferred and used.

This practice, which enables ex-addicts to be tempted back into gambling by the offer of free bets, has been described as extremely effective. In November last year, the Information Commissioner’s Office (ICO) targeted more than 400 companies after allegations the betting industry was sending spam texts (a misuse of personal data). But it is not mentioned that any official measures were taken after the investigations, which might have included such actions as a fine of £500,000 under the current regulations. Gambling companies are regulated by the slightly separate Gambling Commission, who seek to ensure responsible marketing and practice. But under the GDPR it may well be that the ICO would have licence to take a much stronger stance against the industry’s entrenched abuse of personal information to encourage problem gambling.

According to the board, a new variant of the malware Bitpaymer, different to the infamous global WannaCry malware, infected its network and led to some appointment and procedure cancellations. Investigations are ongoing into how the malware managed to infect the system without detection.

Complete defence against ransomware attacks is problematic for the NHS because certain vital life-saving machinery and equipment could be disturbed or rendered dysfunctional if the NHS network is changed too dramatically (i.e. tweaked to improve anti-virus protection).

A spokesman for the board’s IT department told the BBC, “Our security software and systems were up to date with the latest signature files, but as this was a new malware variant the latest security software was unable to detect it. Following analysis of the malware our security providers issued an updated signature so that this variant can now be detected and blocked.”

Catching the hackers in the act

Attacks on newly-set up online servers start within just over one hour, and are then subjected to “constant” assault.

According to an experiment conducted by the BBC, cyber-criminals start attacking newly set-up online servers about an hour after they are switched on.

The BBC asked a security company, Cybereason, to carry out to judge the scale and calibre of cyber-attacks that firms face every day. A “honeypot” was then set up, in which servers were given real, public IP addresses and other identifying information that announced their online presence, each was configured to resemble, superficially at least, a legitimate server. Each server could accept requests for webpages, file transfers and secure networking, and was accessible online for about 170 hours.

They found that that automated attack tools scanned such servers about 71 minutes after they were set up online, trying to find areas they could exploit. Once the machines had been found by the bots, they were subjected to a “constant” assault by the attack tools.

Vulnerable people’s personal information exposed online for five years

Vulnerable customers’ personal data needs significant care to protect the individuals and their homes from harm

Nottinghamshire County Council has been fined £70,000 by the Information Commissioner’s Office for posting genders, addresses, postcodes and care needs of elderly and disabled people in an online directory – without basic security or access restrictions such as a basic login requiring username or password. The data also included details of the individuals’ care needs, the number of home visits per day and whether they were or had been in hospital. Though names were not included on the portal, it would have taken very little effort to identify the individuals from their addresses and genders.

This breach was discovered when a member of the public was able to access and view the data without any need to login, and was concerned that it could enable criminals to target vulnerable people – especially as such criminals would be aware that the home would be empty if the occupant was in hospital.

The ICO’s Head of Enforcement, Steve Eckersley, stated that there was no good reason for the council to have overlooked the need to put robust measures in place to protect the data – the council had financial and staffing resources available. He described the breach as “serious and prolonged” and “totally unacceptable and inexcusable.”

The “Home Care Allocation System” (HCAS) online portal was launched in July 2011, to allow social care providers to confirm that they had capacity to support a particular service user. The breach was reported in June 2016, and by this time the HCAS system contained a directory of 81 service users. It is understood that the data of 3,000 people had been posted in the five years the system was online.

Not surprisingly, the Council offered no mitigation to the ICO. This is a typical example of where a Data Privacy Impact Assessement will be mandated under GDPR.

This week there’s been much in the media about the UK’s upcoming new Data Protection Bill. Unfortunately some of the reporting has been unclear, providing very woolly information on some of the new rights of individuals, and the circumstances they do – or do not – apply. Nonetheless, the main story is that the Data Protection Act will be replaced and that it will include the requirements of the EU’s General Data Protection Regulation (GDPR).

In other news, the ICO has taken further action against companies who fail to follow the current Data Protection Act and PECR regulations. This week the spotlight falls on companies who fail to screen their call lists against TPS. This illegal behaviour has resulted in fines of £150,000 for the week.

Data Protection Bill set to be read out in Parliament in September

As promised in the Queen’s Speech, GDPR will become part of the UK’s new data protection law. The process begins next month in Parliament.

The government has said that it plans to give the Data Protection Bill, announced in the Queen’s speech in June, an airing in Parliament at some point next month. This has been confirmed by the Department for Digital, Culture, Media and Sport (which continues to be officially abbreviated as DCMS, despite the recent addition of ‘Digital’).

The new Bill will replace the existing Data Protection Act 1998 and one of its chief aims is to implement the EU-wide General Data Protection Regulation (GDPR). The UK must adhere to GDPR during its time as a member state and almost certainly beyond – albeit under different legal provisions. The manner in which this EU initiative could apply in the UK after a finalised Brexit is discussed in the next story.

This first reading of the Bill next month is largely a formality. It gives lawmakers, consultants and interested parties a chance to inform themselves and gather the information they need before a second reading takes place, during which a parliamentary debate is properly staged.

Last month, Germany became the first EU member state to approve its data protection legislation meeting the requirements of GDPR – the German Federal Data Protection Act (‘Bundesdatenschutzgesetz‘).

House of Lords publishes a report on the EU data protection package

Responding to the government’s plans outlined in a White Paper on The United Kingdom’s exit from and new partnership with the European Union, the House of Lords has reviewed various options regarding the data protection policy aspect of this new relationship in a report published on 18th July.

Since the government has stated that it wants to “maintain unhindered and uninterrupted data flows with the EU post-Brexit,” the House of Lords has assessed this commitment with a view to providing a more detailed set of practical objectives.

For the UK to continue trading with EU citizens post-Brexit, GDPR or its equivalent will need to apply.

The report summarises that the UK has two feasible options if it wants to continue uninterrupted data flow with the EU, which is now a lynchpin in our service-driven economy. There will be a transitional period of adopting the General Data Protection Regulation (GDPR) and the Police and Criminal Justice Directive (PCJ) while the UK remains an EU Member State, regulations which the government plans to implement with the aforementioned new Data Protection Bill. But the report states that after Brexit, the UK will either have to pursue an ‘adequacy decision’ from the European Commission, “certifying that [the UK] provides a standard of protection which is ‘essentially equivalent’ to EU data protection standards,” or else individual data controllers will have to implement their own data protection safeguards, which would “include tools such as Standard Contractual Clauses, and Binding Corporate Rules.”

The report favours the former, that is, adequacy decisions conferred to the UK as a third state in its relation to the EU, provided under Articles 45 and 36 of the GDPR and PCJ respectively. The report states that the Lords were “persuaded by the Information Commissioner’s view that the UK is so heavily integrated with the EU – three quarters of the UK’s cross-border data flows are with EU countries – that it would be difficult for the UK to get by without an adequacy arrangement.”

The report concludes that there is no prospect of a clean break, since the UK will have to continue to update its domestic data protection policies to remain aligned to the standards of EU data protection in the event of changing regulations – that is, if the UK wants the seamless transfer of data with EU countries that is regarded as crucial to the digital economy and the UK’s competitive position in the modern globalised market.

The ICO has issued official warnings, “reminding companies making direct marketing calls that people registered with the Telephone Preference Service are ‘off-limits,’” after two Bradford-based firms were fined a total of £150,000 for flouting this preference.

Calling consumers without consent is illegal unless you run the files against TPS.

HPAS Ltd (t/a Safestyle UK) and Laura Anderson Ltd (t/a Virgo Home Improvements) have been fined £70,000 and £80,000 respectively for making illegal nuisance calls to people on the TPS register. Both firms have been issued enforcement notices and will face court action if the practice continues.

The ICO received 264 complaints about Virgo over 20 months (despite repeated warnings and formal monitoring), and 440 complaints about the latter in 19 months. Virgo Home Improvements had already been fined £33,000 just over a year ago, bringing their total fines for making nuisance calls up to £113,000.

One complaint about Safestyle quoted by the ICO read, “this harassment has been going on for over five years now. I want it to stop.” Members of the public are becoming increasingly aware of data protection policy, and the prospect of new legislation that will crack down on aggravating breaches such as these will be welcomed by many.

Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

It’s the weekend before Christmas. Have you done all your Christmas shopping? If you’re shopping online, this is the last weekend you can really do your online shopping and still get everything delivered on time.

Now you may be bored of hearing it but please be careful, look after your passwords, change them regularly, don’t have devices store your information! Lets start the year without a stranger stealing money from your credit cards and bank accounts!

Yahoo…Again

This week brings us the news that Yahoo had announced a hack from 2013 – a separate breach to the 500,000 hacked records announced in September.

Yahoo was investigating the 2014 breach when it uncovered the earlier hack – this time discovering that a billions accounts had been compromised.

The reputational damage to Yahoo is enormous – a clear pattern of poor security is emerging and if I had an account with Yahoo, I’d be considering changing my provider immediately. Having said that, though, how can we be certain that other companies haven’t had similar breaches and we just don’t know about them yet?

The ICO’s deputy commissioner, Simon Entwisle has released a statement saying that they are talking to Yahoo and will try to find out how many UK users have been affected by the latest hack. Their immediate advice is to recommend strongly that customers change their passwords if they haven’t already.

TalkTalkAn update on the huge TalkTalk hack has been released. One of the hackers, a 17 year old, has admitted to 7 offences relating to the hack and has been given a 12-month rehabilitation order and an £85 fine. He was told his excellent computer skills need to be used for the good. 19-year old Daniel Kelley also pleaded guilty. He has been told that a jail sentence is inevitable, and has been released on bail prior to sentencing in March.

UberUber has come under fire after an ex-worker claimed that staff could track fares of celebrities, politicians and even ex-partners. If that’s true, it’s lucky for me I’ve only ever used it in Australia where no exes live and unfortunately I’m not yet a celeb!

Uber released a statement to the Standard stating that the claims made by Mr Spangenberg are “absolutely not true … we have hundreds of security and privacy experts working round the clock to protect our data … all potential violations are quickly and thoroughly investigated.” Uber also makes it clear that access to personal data is limited to approved workers who may only access the data they need in order to perform their job function.

Lionhead Studio just as bad as ‘Trolls”?It has been released this week at a BAFTA event that a teenager targeted Sam van Tilburgh and his team, back in 2003, when they were creating the game Fable. The teen released a screen shot of the hero stabbing a child in the head – something no one was expecting to see.

Rather than go through official routes, Tilburgh and team decided adopt an unconventional aporiach. They were able to track the boy’s IP address and let care the teenager. They then ‘acquired’ some of his school work from and published a part of it, with a demand that he stop or they would publish more and tell be his family what he was up to. He did indeed stop.

Tilburgh said Lionhead’s legal team knew nothing of the retaliating hack, and it has taken 13 years for the story to surface! I wonder if there’ll be repercussions.

The National Lottery hit with fineSo it wasn’t so long ago we heard that hackers had attacked The National Lottery (TNL). Today we hear TNL’s operator Camelot has been issued with a fine of £3m because of a fraudulent payout back in 2009. How this happened has not yet been announced but it sounds as if a ‘deliberately damaged ticket’ was to blame. The prize fund payout is suspected to be around £2.5m but the actual figure has not yet been officially released.

I, for one will continue to buy my lottery tickets. Although The National Lottery has come under fire recently, it has fuelled a whopping £36 billion into good causes such as sports, community and heritage projects. Also imagine if you won.. (legitimately)

Another day … another hack. Such events are inescapably becoming almost daily news. The endless catalogue of everyday cyber crime, ranging from hacking, ransom attacks, bullying, breaches, theft and fraud, simply underlines that any crime that can be committed in our physical world can – and is – equally being perpetrated in cyber space.

Given that such attacks and breaches are making the headlines almost daily, it baffles me that companies and customers (that’s us by the way) don’t make a greater effort to protect themselves.

Camelot, The National Lottery’s operator, discovered this latest breach on Sunday and went public on Wednesday morning. Camelot says that only 26,500 of the 9.5 million registered user accounts were compromised, and that there has only been activity on just under 50 of the infiltrated accounts. They have confirmed that no money has been removed or added to any of these accounts and that the National Lottery does not hold full debit card or bank account details. The Information Commissioner’s Office says it has launched an investigation.

Camelot insists that the reason for the compromised accounts is because users have been operating the same password for multiple websites. (Sound familiar? Last week’s Deliveroo breach comes to mind).

Quite properly when we hear of a data breach we turn the spotlight onto the companies that we deal with, who are in charge of protecting our information. But it would be no bad thing for us to point the spotlight at ourselves as the other half of the equation. As consumers, we have to take responsibility too.

We have all repeatedly been advised – and frankly, must surely know by now – it is vital that a different password is used for every website. For as long as we fail to take this basic precaution, these breaches will be possible. It would seem that we’re no or slow learners.

I don’t know about you, but I have more accounts than I care to think about. A password including capital letters, symbols and numbers is difficult enough to remember for just one account. However with hacks happening more and more frequently it’s made me pull up my socks and change all of my passwords.

I choose not to have my phone or computer store my passwords, because if either device is stolen (or lost) someone will have all my information in the palm of their hand.

It’s time we all realised how vitally important it is to have safe and secure and different passwords for every account we have, especially when cyber criminals are getting wiser and more sophisticated by the minute. A password is a key. So using just one password to access all your websites means that you are effectively handing criminals the master key to all your online activity.

Hint – A password with 12 characters including a few bits and pieces can take over 2 centuries to crack … that’s the one for me!